Logstash Date parsing (with AM/PM data) for YYYY-MM-dd HH:mm:ss,SSS format

Hi,
I am new to logstash. With some R&D I have written a grok, but don't weather it validates or not.

Input:
####<Jun 17, 2019 1:33:20 PM GMT>

Output:
I need the date in the format of 2019-06-17T13:33:20.000Z in ES.
Basically if the timestamp is in PM format then add 12 hrs. Like above time was 1PM , and I need the o/p as 13.

My Prog:

grok {
match => { "message" => "####<%{MONTH:month} %{MONTHDAY:day}, %{YEAR:year} %{TIME:time} %{DATA:ampm} %{DATA:gmt}> %{GREEDYDATA:errormessage}" }
}
if[ampm == "PM"]{
time=time+12
}
mutate {
add_field => { "eventTimestamp" => "%{year}-%{month}-%{day} %{time}" }
}
date {
match => ["eventTimestamp", "YYYY-MM-dd HH:mm:ss,SSS"]
timezone => "UTC"
target => "eventTimestamp"
}

Question: So will this block would suffice ""if[ampm == "PM"]"".

Thanks in advance for any kind of help.

A date filter will parse this provided you use hh for the hour

grok { match => { "message" => "^####<%{DATA:[@metadata][ts]}>$" } }
date { match => [ "[@metadata][ts]", "MMM dd, YYYY hh:mm:ss a ZZZ" ] }

In your configuration "time = time + 12" will not do what you want.

Note that dd and hh will both match either one or two digits.

When I start the log-stash it is giving JSON parser failure for this pattern.

There is no mention of JSON in this thread, so there is no way for us to understand why that might happen unless you show us the configuration and the data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.